Your GDPR + Email Marketing Playbook: How to Prepare for the EU Data Law

Update 5/16/18: We have Data Processing and Security Terms.

A new law called the General Data Protection Regulation (GDPR) went into effect on May 25, 2018 — and it impacted email marketers around the world.


The good news? If you’re using AWeber, you’re probably already doing many of the things required.

Keep reading for a walkthrough of the GDPR, what AWeber is doing to prepare, what it means for your email marketing business, and how you can prepare for the changes.

Update 4/28/18: Want to learn about the most common myths surrounding the GDPR and email marketing? We wrote about it here!

Disclaimer: This blog post is for informational purposes only, and you should not consider it legal advice. We recommend that you seek legal and other professional counsel to determine exactly how the GDPR might apply to you.

What is the GDPR?

The GDPR is a European privacy law approved by the European Commission in 2016. Its purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.”

(Want to succeed with email marketing? Then you need to sign up for Everyday Email, a FREE course that makes it simple and fun! 30 short, easy-to-follow tips sent to your inbox for 30 days.)

This is fantastic news for EU citizens. The GDPR will hold businesses and entrepreneurs more accountable for data breaches, require them to not only keep records of a person’s consent to disclose personal information, but also clearly state what the data will be used for up front.

Why the GDPR is a good thing for email marketers

The goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.

While it requires a bit more effort on your part, it can also lead to some pretty important benefits to your email marketing.

Here’s why…

By taking greater measures to protect and use subscriber data correctly, you’re more likely to send more relevant, targeted, permission-based emails to your subscribers. And that can translate into more trust with your subscribers, fewer spam complaints and unsubscribes, and better email deliverability.

Win. Win. Win!

Who does the GDPR affect?

The GDPR applies to any data controller or processor who collects, records, organizes, stores or performs any operations on personal data of those who live in the EU — even if you don’t reside in a European country.

Personal data is any data that can be used to identify a person, including email addresses.

Data Controller? Processor? What are those?

Here’s a quick definition of each:

Data Controller: Any individual or business who determines how an individual’s personal data is processed.

Data Processor: Any individual or business who processes personal data on behalf of the controller.

As an AWeber customer who collects EU resident data, you would more than likely be considered a Data Controller. AWeber would be considered a Data Processor.

How does the GDPR affect me?

To understand how the GDPR will affect you, it’s first important to understand the key rights the new law protects and how these rights apply to you:

  • Right to be informed: Your EU subscribers can ask about personal data, how it is used, and why it is being used at any time.
  • Right of access: Your EU subscribers can request a copy of personal information at any time.
  • Right of rectification: Your EU subscribers can update (or request updates to) personal information at any time.
  • Right of erasure: Your EU subscribers may request that you or AWeber erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
  • Right to object: Your EU subscribers may unsubscribe from any of your emails at any time.

Knowing these rights allows you to better understand your responsibility in protecting these rights.

How to prepare your business for the GDPR

There’s a lot to think about with the GDPR, and we understand that it can feel a bit overwhelming. So we’ve outlined five steps you can take to help prepare for the GDPR.

1. Continue to abide by AWeber’s terms of service and privacy policy

We recently updated our privacy policy and terms of service for customers, affiliates, and developers who use our API. These updates reflect what we’re doing to be compliant with the GDPR.

Be sure to continue abiding by these terms of service and privacy policy:

2. Get explicit, opt-in consent from subscribers

The GDPR describes consent as “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Translation: You must explain how you will use a person’s data before he or she gives it to you. If you plan to use a person’s data for multiple reasons, you must disclose all those purposes from the get-go.

For example, imagine you have a weekly blog newsletter. Once a person subscribes, they’ll receive a weekly newsletter from you, as well as an occasional email promoting your product. To be compliant with the GDPR, you must explain on your signup form that subscribers will receive both educational newsletter emails and promotional emails.

There’s been a lot of talk about the need to have checkboxes in your signup form to be compliant with the GDPR. However, checkboxes are not necessary to comply with the GDPR, but are simply one of many ways to prove consent.

Another way to prove consent is by adding simple language to your signup form that clearly explains how you will use a subscriber’s personal data, what kind of content you will be sending them, and how often you will be sending it.

If you do, however, decide to use an optional checkbox on your signup form, make sure your checkbox is not pre-checked. To get affirmative consent, subscribers need to check the box themselves.

Here’s an example from outdoor enthusiast Paul Kirtley that demonstrates how to clearly explain how a subscriber’s personal data will be used:

As you’re reviewing your signup forms, here are a few questions to ask yourself:

  • Have I made it clear to the subscriber what information I am collecting?
  • Have I made it clear to the subscriber why I am collecting their information?
  • Have I made it clear what information I will be sending them?
  • Have I made it clear how often I will be sending them information?

Another common question people have is this: Do I need to have double opt-in (aka confirmed opt-in) now with the GDPR?

You don’t need to have double opt-in to be compliant with the GDPR. You can still use single opt-in and be compliant if you can prove informed consent in another manner. However, there are benefits to using double opt-in, including a more engaged list of subscribers and better deliverability.

For the subscribers who are already on your list, you can send a re-engagement email prior to the GDPR taking effect to confirm continued consent to receive your emails.

You can use AWeber’s new click automations for broadcasts to tag subscribers who click the confirmation link in the email.

3. Create or update your public-facing privacy policies

Along the same lines as gaining explicit consent, it’s a good practice to create, review, and update your public-facing policies around data collection and usage.

As mentioned above, your subscribers have a right to know how their personal data is being used, so make that clear and easy to understand in your policy.

Also, make sure your policies are easy to find. You can do this by adding a link to your policies within the footer of your signup form, emails, and website.

4. Document and communicate a process for data requests from subscribers.

The GDPR requires that you document and communicate a process for subscribers to opt out, make changes to their personal data, request copies of their personal data, or request that their data be deleted entirely from your records.

You may need to document a process for subscribers to make such requests.

Once you have this process documented, you can communicate it through your public-facing privacy policy as well as within your emails.

Here are the types of requests to document and communicate, and how to fulfill them:

Unsubscribing from your list

Under the GDPR, subscribers have the right to object or opt out of your communication at any time.

Your subscribers already have the ability to unsubscribe on their own using the “Unsubscribe” link in the footer of your emails.

However, you can also unsubscribe them manually if they request it, either on a list-by-list basis or by bulk unsubscribing someone.

You can also make this option more obvious by adding it within your email messages. Here’s an example from AWeber customer Ann Handley with her bi-weekly Total ANNARCHY newsletter. You’ll notice she added an unsubscribe link following her signature, with some playful language.

Updating personal data

Subscribers also have the right to rectify or update their personal data at any time.

Similar to the unsubscribe link in your emails, subscribers already have the ability to update their personal data on their own using the “Change subscriber options” link in the footer of your emails. However, you can update their information manually upon request.

Requesting a copy of personal data you maintain

With the GDPR, your subscribers have the right to access their personal data you maintain.

Unlike opting out or update personal data, your subscribers won’t be able to access this information on their own. Instead, they will need to request it from you.

AWeber makes this easy for you to find this information within subscriber management. Using the filters, you can search for the subscriber’s email address. Then using the “Export CSV” option, you can export your subscriber information in a format you can deliver to them.

Deleting subscriber data entirely from your records

Under the GDPR, your subscribers also have the right of erasure. In other words, the right to be forgotten. That means you must delete their personal data upon request.

Deleting subscribers is easily done within your AWeber account using the “Search All Lists” feature. Simply use the “email” filter to search for the subscriber’s email address. Then check the box(es) next to their name and click “Delete.”

When you delete a subscriber from your list, that subscriber’s personal information will be deleted entirely from your reports and your list. However, deleting a subscriber will not affect your reporting data; you’ll still be able to view anonymous, aggregate reporting data in your account, but the deleted subscriber’s name and email address will be removed.

5. Begin keeping comprehensive records of how you collect personal data.

The GDPR also requires that you can prove the nature of consent between you and your subscribers. This has two parts: showing the signup source in the subscriber data, as well as a copy of the signup form or data collection mechanism from which they provided that consent.

You can accomplish this by either saving the underlying code, a screenshot or PDF you used to collect their information.

Remember: these tips are not intended to be legal advice and in no way represent a comprehensive standard for ensuring the GDPR compliance.

Download our GDPR checklist

Whew! That was a lot of information. Fortunately, we’ve boiled it down to a one-sheet checklist for a quick reference as you prepare for the GDPR.

What is AWeber doing to prepare for the GDPR?

AWeber is already self-certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and we comply with lawful transfers of EU/EEA personal data to the U.S. in accordance with our Privacy Shield Certification.

Additionally, we are actively preparing to be fully compliant with the GDPR by May 25, 2018.

To help us do so, we formed a dedicated, cross-functional team to organize, lead and carry out the work that needed to be done to bring AWeber into compliance with the GDPR.

Here’s what this team has been working on:

  • Developing a comprehensive strategy to comply with the GDPR
  • Conducting a detailed audit of our personal data and processing practices
  • Updating our terms of service and privacy policy to include the GDPR changes
  • Review our services to ensure we protect the rights of EU citizens mentioned above
  • Developing Data Processing and Security Terms for our customers

Moving forward, we will hold regular training sessions to ensure our team members are always up-to-date on our processes and best practices for helping our customers.

What’s next?

Update 4/28/18: Still confused about the GDPR? Not to worry. We set the record straight about six common myths surrounding the GDPR and email marketing.

Update 5/16/18: We now have Data Processing and Security Terms.

To learn more about the GDPR, visit www.eugdpr.org.

Have questions? Comment below and we’ll do our best to answer them.

Not an AWeber customer? Get the peace of mind of working with a trusted provider. Create a free AWeber account today.

24 Comments

  1. MaryAnn

    4/13/2018 1:49 pm

    Is the signup form on this page an example of what we should do? It is really fuzzy about what I am signing up for. “This blog” could mean this particular posts, or all posts in the blog … forever. It doesn’t say how often, nor does it specify how that info will be used. mmmmm

  2. Brandon Olson

    4/13/2018 1:59 pm

    Hi MaryAnn! That’s a great question. The signup form above is an example of a form that would comply with GDPR, as it specifically explains that you will be receiving updates from our blog in your inbox.

    Let me know if you have any other questions.

    Brandon

  3. Tomer

    4/13/2018 3:57 pm

    This is a great article, one of the best I’ve seen about GDPR so far. Love the examples too.
    Thanks!

  4. Tara

    4/14/2018 2:38 am

    This is an excellent article. One small thing I wasn’t quite sure about was in point 4: “You can accomplish this by either saving the underlying code, a screenshot or PDF you used to collect their information.” Wouldn’t it be enough to just go the subscriber’s file on AWeber and we would be able to prove when and where they signed up? Or do you mean we should take a screenshot of the actual sign up form the person used to sign up? Thank you.

  5. Brandon Olson

    4/16/2018 9:02 am

    Hi Tara and Jennifer,

    It’s a good practice to not only access your subscriber’s info in your AWeber account, but also show the data collection mechanism (i.e., the signup form) you used to collect that subscriber’s info. Your AWeber account will show the source of the signup (i.e., your website), but will not show which form was used and what that form looked like at the time the subscriber signed up.

    I recommend taking screenshots of the signup forms you’re currently using as well as documenting any changes you make to these, or any new forms you create, moving forward.

    If you’re unclear on what signup form was used when someone signed up, it would probably be a good idea to send a re-engagement email to ensure you can prove the subscriber’s consent to email them moving forward, and document this consent mechanism, whether that’s an email with click-automation and a tag, or an entirely new signup form.

    I hope that answers your question. Please let us know if you have any others.

    – Brandon

  6. Barry

    4/14/2018 3:34 am

    Good information.
    It is more difficult to see how these changes are implemented when using API to add subscribers – for example when customers buy a product through a cart. I guess that is whn a checkbox should be used.

    Also, how does this impact the use of third party tools like AWProtools?

  7. Brandon Olson

    4/16/2018 9:07 am

    Hi Barry and Trish,

    If you’re using any AWeber integration, you’ll need to make sure the tool(s) you’re using outside of AWeber is also compliant with the GDPR.

    In the example you gave about buying a product, if you’re planning to send other emails to subscribers, it will be important to obtain that consent from the subscriber at the point of purchase, whether that’s with some clear, explanative language. A checkbox isn’t necessarily required, unless you’d like people to be able to purchase a product without requiring them to sign up for other emails from you.

    – Brandon

  8. Trish

    4/14/2018 6:40 am

    My question is the same as Barry’s re: API. I’m checking with the providers I use, but would love to hear AWeber’s take on this, too. Thanks!

  9. GoLocalApps

    4/14/2018 7:47 pm

    Nice overview of the issue. I wonder where we’ll the issues with compliance and enforcement.

  10. Jennifer

    4/15/2018 10:26 am

    I have the same question as Tara regarding point 4.

  11. Andy

    4/15/2018 12:05 pm

    Thanks for the article. Two additional questions:

    1. When will the data processing agreements be available for your customers?

    2. Do you plan to add confirmation check boxes as a feature for the sign up boxes?

  12. Brandon Olson

    4/16/2018 9:15 am

    Hi Andy,

    Great questions!

    1. We are working on developing Data Processing and Security Terms for our customers, but do not have a date yet for when these terms will be available. We will update this blog post once they are ready.

    2. You already have the ability to add checkboxes to your AWeber signup forms; this is not a new feature. You can also apply tags to subscribers when they check the box, allowing you to document consent for each subscriber. Here’s a help article that explains how to add checkboxes to your signup form, as well as how to add tags to checkboxes.

    If you have any other questions, please let us know!

    – Brandon

  13. Nancy

    4/17/2018 6:21 am

    Very helpful, thank you.

  14. GREG WILLIAMS

    4/18/2018 10:00 am

    Hi thanks for this. With the existing subscribers, is it a GPDR requirement that we ask them to confirm they wish to remain on our list? And for all those who dont confirm we have to delete them? And if so is that by May 25th? Or can we just remind them they can unsubscribe if they wish? Thanks

  15. Brandon Olson

    4/18/2018 10:54 am

    Hi Greg,

    One of the main points of the GDPR is that you can prove consent. If you’re able to prove that your subscribers consented to your emails, there’s no need to send a re-engagement email.

    Proof should include the data/time they signed up, as well as the source of the signup, both of which you can find in your AWeber account, plus a copy of the actual signup form used to collect their data.

    If you’re missing any of that info, it’s probably a good idea to ask them to re-confirm consent. To set this up, first create a segment of subscribers who need to re-confirm. Then send them an email, asking them to re-confirm. You can use our new click automation in broadcasts to apply a tag to your subscribers in your account, rather than have them fill out another signup form. Just be sure to also keep a copy of the re-engagement email you sent as proof of consent.

    If you don’t receive confirmed consent by May 25, you should delete them from your list and not email them again.

    I hope that answers your questions. Any other questions, please let us know.

    Brandon

  16. Scott

    4/19/2018 6:36 am

    Brilliant information, and so needed at the moment, so many “advise” based services for this popping up that I just dont trust so getting something from a trusted site like aweber I can also show my clients is worth its weight in gold 🙂

  17. Mary

    4/19/2018 9:34 pm

    Hi Brandon. Great article. So helpful.

    Where can I find out more about “click automation” that you mention in the context of “rec-confirm consent?”

    Also, are there any plans to make the recording of the sign-up form used by the subscriber any less unwieldy in the future? I realize the manual aspect of taking a screenshot as mentioned in point #5 is the only option for now, but doesn’t seem sustainable.

    Thx again. Mary

  18. Brandon Olson

    4/19/2018 9:59 pm

    Hi Mary,

    I’m glad you asked about click automations for broadcasts! It’s one of our newest features.

    Check out the first video from Tom in this blog post (under the heading “Segment your subscribers with ease”). In the video, Tom shows you how the new click automations for broadcasts can be used to tag a subscriber when they click a link in your email. You can use a tag like “GDPR” to designate that they reconfirmed for GDPR purposes.

    Here’s also a helpful step-by-step article that shows you how to do this.

    It’s a good idea to have a destination for them to arrive at after clicking the re-confirm link in the broadcast. This could be your main website or, better yet, a unique landing page that thanks them for reconfirming their subscription.

    As of now, there are no plans to make recording the signup form used by the subscriber more easy. However, I will take that feedback to the team to see if there’s anything we can do to make that easier in the future. Great suggestion – thanks!

    Brandon

  19. John Pearce

    4/23/2018 12:21 pm

    Great and very helpful, thanks. I think a key area of concern for those with established lists is what to do with existing subscribers.

    Writing to them and asking them to opt in again through a re-engagement campaign is going to mean losing large percentages of any list. I know, I know – your answer is likely to be that we only want to retain people on a healthy list that would respond in this way, but please understand that would be bit of a platitude!

    What other options do we have? Is it not enough to put procedures in place for future subscribers? Does GDPR specifically require existing subscribers’ consent to be explicitly gained again?

    Thanks for all the great advice!

  20. Brandon Olson

    4/23/2018 1:35 pm

    Hi John,

    Thanks for your comment. The GDPR applies to new and existing subscribers. One of the main points of the GDPR is that you can prove consent. If you’re able to prove that your subscribers consented to your emails, there’s no need to send a re-engagement email.

    Proof should include the data/time they signed up, as well as the source of the signup, both of which you can find in your AWeber account, plus a copy of the actual signup form used to collect their data.

    If you’re missing any of that info, it’s probably a good idea to ask them to re-confirm consent. To set this up, first create a segment of subscribers who need to re-confirm. Then send them an email, asking them to re-confirm. You can use our new click automation in broadcasts to apply a tag to your subscribers in your account, rather than have them fill out another signup form. Just be sure to also keep a copy of the re-engagement email you sent as proof of consent.

    If you don’t receive confirmed consent by May 25, you should delete them from your list and not email them again.

    I hope that answers your questions. Any other questions, please let us know.

    – Brandon

  21. Mary

    4/23/2018 1:58 pm

    Hi Brandon. Mary again. Do you have any templates or samples we could work from to craft a reconfirm email? Thx.

  22. Brandon Olson

    4/24/2018 3:51 pm

    Hi Mary!

    I’m actually working on a template as part of an upcoming blog post. Keep an eye out for the blog post when it goes live. 🙂

    Brandon

  23. Nick

    4/24/2018 6:45 am

    Hi Brandon, you wrote previously:

    “One of the main points of the GDPR is that you can prove consent. If you’re able to prove that your subscribers consented to your emails, there’s no need to send a re-engagement email…..”

    Does this mean that subscribers I have signed up over the last few years do not have to be re-signed up as they were double opted-in originally ?

  24. Brandon Olson

    4/24/2018 8:47 am

    Hey Nick!

    Thanks for the followup question. As long as you can prove that they opted in – meaning you have a date and timestamp, the source of the signup, and a copy (e.g., screenshot) of the collection mechanism (e.g., signup form, landing page, etc.) – they shouldn’t need to re-confirm their consent. If it’s unclear how they opted in, you should send a re-engagement email to capture that consent.

    If you’re not sure, you can reach out to our customer solutions team to double check.

    Brandon